Verifying authencation mechanism used in routing protocls

Way back in my previous post, i had given a list of audting commands to follow when performing auditing of Cisco routers. Now its time to verify if the protocols themselves are using authentication mechanism to defeat most of the attacks. Most of the time after a penetration test, if you find telnet port open, you would suggest the client to use SSH instead of telnet. This is ok, because it is easy to migrate the protocols. What if SNMP port is open? Do you tell the client to disable it because it is vulnerable to attacks or would you suggest the client to upgrade to the lastest version? What about compatibility and interoperability issues between SNMPv2 and SNMPv3? What if the client needs this protocol for monitoring purposes? Well, I guess there is always solution to everything. I will show you steps where you can perform to ensure that the "vulnerable" protocol is at least safe from 70% of the attacks.

SNMP: Make sure access-list is used to limit machines that is allowed to access to router. For example, see the following commands:

Setting the access-list to permit only IPs that are allowed to access the router.

access−list 12 permit 192.168.1.1
access−list 13 permit 192.168.1.2

The command below sets the community string which is sort like a password to access-list 28 and 29. Of course, you should set a very strong community to avoid brute-force or dictionary attacks.

snmp−server community cisco1 RW 28
snmp−server community cisco2 RO 29

The command below allow the router to send traps to the SNMP Manager machine

snmp−server host 192.168.1.1 cisco1 snmp
snmp−server host 192.168.1.2 cisco2 snmp

So by using the access-list command, only the allowed hosts are able to perform the necessary tasks.

RIP: RIPv1 does not support any authentication, instead it is using plain text for routing purposes. However, RIPv2 support both plain text and md5 authentication. When auditing an IOS config file, check for the following key words:

key chain cisco
key 1
key−string rip

ip rip authentication key−chain cisco
ip rip authentication mode md5

To allow routing protocol authentication, the key chain command will identify a group of authentication keys, the key command will identify an authentication key on a key chain and the key-string command will specify the authentication string for a key. On top of it, make sure that the command ip rip authentication mode md5 is enabled for RIP updates.

EIGRP: The same goes for EIGRP. The commands to check for EIGRP is identical to RIP as shown below:

key chain cisco
key 1
key−string eigrp

ip authentication mode eigrp 10 md5
ip authentication key−chain eigrp 10 cisco

Please note that the command ip authentication mode eigrp 10 md5 is different from RIP's ip authentication mode md5. The "eigrp 10" is intepreted as eigrp , so please take note of that.

OSPF: OSPF supports both plain text and md5 authentication. You can choose either one of the authentication method depending on your preference. Some routers might not support the md5 authentication, so that leaves you with no choice but to use plain text authention. Else, deploy md5 authentication which is 100 times more secure. Check for these commands below to see if the router is using any authentication.

For plain text authentication:
ip ospf authentication−key cisco
area 0 authentication

For md5 authentication:
ip ospf message−digest−key 40 md5 cisco
area 0 authentication message−digest
Please note that the value of the key-id which is 40 allows passwords to be changed without having to disable authentication.

So above is a quick list to check for authentication on routing protocols. If you happen to have a chance to audit a router config file, just a glance will tell you how good is the network administrator is.

To know more about the commands usage and its meaning, refer to http://cco.cisco.com/en/US/products/sw/iosswrel/ps5187/products_command_reference_chapter09186a008017d029.html